新书推介:《语义网技术体系》
作者:瞿裕忠,胡伟,程龚
   XML论坛     W3CHINA.ORG讨论区     计算机科学论坛     SOAChina论坛     Blog     开放翻译计划     新浪微博  
 
  • 首页
  • 登录
  • 注册
  • 软件下载
  • 资料下载
  • 核心成员
  • 帮助
  •   Add to Google

    >> XML与数字内容安全(DRM,XrML,RDD, MPEG-21, XACML), XML传输的安全, 基于XML的签名,基于XML的加密
    [返回] 中文XML论坛 - 专业的XML技术讨论区XML.ORG.CN讨论区 - 高级XML应用『 XML安全 』 → [转帖]SAML的新特性 (What's new with SAML?) 查看新帖用户列表

      发表一个新主题  发表一个新投票  回复主题  (订阅本版) 您是本帖的第 18127 个阅读者浏览上一篇主题  刷新本主题   树形显示贴子 浏览下一篇主题
     * 贴子主题: [转帖]SAML的新特性 (What's new with SAML?) 举报  打印  推荐  IE收藏夹 
       本主题类别:     
     admin 帅哥哟,离线,有人找我吗?
      
      
      
      威望:9
      头衔:W3China站长
      等级:计算机硕士学位(管理员)
      文章:5255
      积分:18406
      门派:W3CHINA.ORG
      注册:2003/10/5

    姓名:(无权查看)
    城市:(无权查看)
    院校:(无权查看)
    给admin发送一个短消息 把admin加入好友 查看admin的个人资料 搜索admin在『 XML安全 』的所有贴子 点击这里发送电邮给admin  访问admin的主页 引用回复这个贴子 回复这个贴子 查看admin的博客楼主
    发贴心情 [转帖]SAML的新特性 (What's new with SAML?)

    What's new with SAML?
    Ed Tittel
    03.29.2006



    In previous XML tips we've looked at (and around) the Security Assertion Markup Language, aka SAML. But in the wake of increasing adoptions and use—as for example, its adoption as a cornerstone of the US Federal E-Authentication Initiative—another look seems warranted and is bound to prove interesting.

    As of March 2005, in fact, there are three versions of SAML available:

    SAML 1.0, adopted as an OASIS standard in November, 2002 (this is the version that the e-authentication initiative has adopted)
    SAML 1.1, formalized as an OASIS standard in September, 2003 (this is the version around which most existing implementations are built)
    SAML 2.0 became an OASIS standard in March 2005
    All of these standards are readily available through the OASIS Web site and through the CoverPages SAML page. For the purposes of this tip, however, we'll concentrate on SAML 1.1.

    SAML 1.1 Assertions

    As the name of this XML applications indicates, it's all about security assertions. In fact, SAML supports three types of security assertions, all of which developers who must manage distributed or cooperative applications can't help but appreciate:

    Authentication statements: These assert to a service provider that a security principal has authenticated with an identity provider at a specific identified time using a specific identified method of authentication. Other information about a principal may also be included in such a statement, such as the principal's e-mail address.
    Attribute statements: These provide information about security principals to indicate whether or not they possess specific attribute values, which service providers will often use to grant or deny access to specific information or resources. Thus, for example, if a principal has an affiliated attribute value of "employee," that principal may then be allowed to access employee-only records or information about benefits, retirement plans and so forth.
    Authorization decision statements: These indicate whether or not a principal should be allowed or denied access to a secured resource associated with some specific uniform resource identifier (URI). This permits a Web server to delegate such decision making to security servers, often to the same server that provides identity management and authentication services.
    SAML 1.1 Protocol

    Within the SAML environment, the above-mentioned types of assertions are ferried within the SAML protocol, which follows a simple request-response structure. In this environment a SAML requester issues a SAML request message to a responder and the SAML responder replies with a SAML response message to the requester. These message structures are simple and relatively compact, where the headers identify the version of SAML in use, along with simple request and response IDs, as well as timestamps, and the payload contains one or more SAML statements (authentication, attribute or authorization decision statements, in other words).

    SAML 1.1 defines a single binding to support message exchange. Known as the SAML SOAP binding, it requires that a compatible implementation must implement SAML over SOAP over HTTP (other transport mechanisms are allowed providing all protocol-independent aspects of the SAML SOAP binding are transparently preserved). The binding occurs on SOAP version 1.1, where a SAML requester wraps a SAML request message within the body of a SOAP message, with a similar structure for replies from a SAML responder. The SOAP 1.1 specification also requires that if HTTP is used for transport, a SOAPAction HTTP header must be included in each HTTP request (this value may be something as simple as "SOAPAction: http://www.oasis-open.org/committees/security".

    SAML also uses profiles to define the HTTP exchanges used to transfer security assertions from an identity provider to a service provider, where SAML 1.1 specifies two different types of browser-based single sign-on profiles:

    Browser/artifact Profile
    Browser/POST Profile
    Together these profiles support cross-domain single sign-on (SSO). SAML profiles start at an inter-site transfer service, managed by the identity provider. After visiting the inter-site transfer service, the principal is transferred to an assertion consumer service at the service provider, where the mechanism for transfer depends on the provider used (the browser/artifact type uses a redirect, the browser/POST type uses a POST request). For convenience each type of profile gets its own separate URL, where the one for the Browser/Artifact type is called an Artifact Receiver UTL and the Browser/POST type is called an Assertion Consumer URL. Whereas the Browser/Artifact type uses a "pull model" wherein the profile essentially passes an SSO assertion from the identity provider to the service provider by reference (a kind of back channel exchange in which the service provider pulls the assertion from the identity provider), the Browser/Post type uses a push model wherein the profile passes an SSO assertion by value and no back channel communication is needed (so the identity provider pushes the assertion to the service provider).

    Either way, the contents of the request and response messages manage the dialog between identity and service providers and help developers offload the details of identity management and authentication from their own code. For most developers tasked with building safe, secure Web-based applications and services, this is a very good thing!

    In a future tip, we'll tackle what's new and interesting with SAML 2.0 and cover its increases in capability and functionality.

    About the author

    Ed Tittel is a full-time writer and trainer whose interests include XML and development topics, along with IT Certification and information security topics. E-mail Ed at etittel@techtarget.com with comments, questions or suggested topics or tools for review.


       收藏   分享  
    顶(0)
      




    ----------------------------------------------

    -----------------------------------------------

    第十二章第一节《用ROR创建面向资源的服务》
    第十二章第二节《用Restlet创建面向资源的服务》
    第三章《REST式服务有什么不同》
    InfoQ SOA首席编辑胡键评《RESTful Web Services中文版》
    [InfoQ文章]解答有关REST的十点疑惑

    点击查看用户来源及管理<br>发贴IP:*.*.*.* 2006/3/31 15:29:00
     
     ryuryuryu 帅哥哟,离线,有人找我吗?
      
      
      等级:大二(研究汇编)
      文章:41
      积分:233
      门派:XML.ORG.CN
      注册:2005/9/15

    姓名:(无权查看)
    城市:(无权查看)
    院校:(无权查看)
    给ryuryuryu发送一个短消息 把ryuryuryu加入好友 查看ryuryuryu的个人资料 搜索ryuryuryu在『 XML安全 』的所有贴子 引用回复这个贴子 回复这个贴子 查看ryuryuryu的博客2
    发贴心情 
    up,up
    thanks for sharing~~~~~~
    点击查看用户来源及管理<br>发贴IP:*.*.*.* 2006/4/2 10:05:00
     
     yinnanzzy 美女呀,离线,快来找我吧!
      
      
      等级:大一(猛啃高等数学)
      文章:13
      积分:106
      门派:XML.ORG.CN
      注册:2006/4/15

    姓名:(无权查看)
    城市:(无权查看)
    院校:(无权查看)
    给yinnanzzy发送一个短消息 把yinnanzzy加入好友 查看yinnanzzy的个人资料 搜索yinnanzzy在『 XML安全 』的所有贴子 引用回复这个贴子 回复这个贴子 查看yinnanzzy的博客3
    发贴心情 
    谢谢!!!
    点击查看用户来源及管理<br>发贴IP:*.*.*.* 2006/10/13 18:57:00
     
     visuale 帅哥哟,离线,有人找我吗?
      
      
      等级:大一(高数修炼中)
      文章:12
      积分:109
      门派:XML.ORG.CN
      注册:2006/4/5

    姓名:(无权查看)
    城市:(无权查看)
    院校:(无权查看)
    给visuale发送一个短消息 把visuale加入好友 查看visuale的个人资料 搜索visuale在『 XML安全 』的所有贴子 引用回复这个贴子 回复这个贴子 查看visuale的博客4
    发贴心情 
    支持一下
    点击查看用户来源及管理<br>发贴IP:*.*.*.* 2006/12/19 11:32:00
     
     GoogleAdSense
      
      
      等级:大一新生
      文章:1
      积分:50
      门派:无门无派
      院校:未填写
      注册:2007-01-01
    给Google AdSense发送一个短消息 把Google AdSense加入好友 查看Google AdSense的个人资料 搜索Google AdSense在『 XML安全 』的所有贴子 访问Google AdSense的主页 引用回复这个贴子 回复这个贴子 查看Google AdSense的博客广告
    2024/11/30 2:43:15

    本主题贴数4,分页: [1]

    管理选项修改tag | 锁定 | 解锁 | 提升 | 删除 | 移动 | 固顶 | 总固顶 | 奖励 | 惩罚 | 发布公告
    W3C Contributing Supporter! W 3 C h i n a ( since 2003 ) 旗 下 站 点
    苏ICP备05006046号《全国人大常委会关于维护互联网安全的决定》《计算机信息网络国际联网安全保护管理办法》
    86.914ms